Syrian Electronic Army Hacks Reuters via Third-Party Ad Provider

The Syrian Electronic Army (SEA), known to favor major media outlets as targets, successfully attacked Reuters by way of a third-party advertising provider, and redirected visitors on their website to pages under their control.

Readers who attempted to navigate to an article about a Syrian Army attack that may have claimed the life of a teenage girl were redirected to this page:

Security researcher Frederic Jacobs reports that while the target was ultimately Reuters, the compromise actually took place at third-party ad service Taboola.

“It is still unclear how Taboola was compromised but given SEA’s track record, phishing would be my first guess. As many of the previously compromised organizations, Taboola uses Google Apps. The Syrian Electronic Army has repeatedly used their Google phishing templates to trick users into giving up their passwords,” wrote Jacobs.

“By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters,” Jacobs wrote. “Taboola has 350 million unique users and has partnerships with the world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now.”

Taboola conformed the breach in a statement:

“Today, between 7AM — 8AM EDT, an organization called the “Syrian Electronic Army” hacked Taboola’s widget on Reuters.com. The intruder was redirecting users that accessed article pages on reuters.com to a different landing page. The breach was detected at approximately 7:25am, and fully-removed at 8am. There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes.”

Jacobs says typically websites like Reuters use around thirty third-party services for placing ads or for site traffic analytics, all of which increase the potential that hackers can successfully infiltrate a platform, and recommends administrators reduce the number of such services to a minimum, as well as implementing two-factor authentication.

“Since phishing seems to be so effective on most non-technical people, you should deploy two-factor authentication. If Taboola’s system administration had enforced 2-step auth in Google Apps, it would probably not have happened,” Jacobs said.